Study Guides > AWS Cybersecurity Notes > Amazon KMS

Overview

• Data encryption is the most critical aspect.

• Must know KMS and the API calls used in the service

Customer Master Keys

• Contain key material for encryption and decryption.

• CMKs are managed in KMS

• KMS provides a way to store and manage keys.

• They are used to manage encryption keys for data.

• KMS protects the CMKs

• CMKs integrate with AWS services.

• They can also be used outside of AWS.

• Two different types of CMK exist:

• Customer managed.

• AWS managed.

• CMKs support envelope encryption.

• A data key is generated for the data.

• The data key is encrypted with the CMK.

• Key usage is logged in CloudTrail and CloudWatch

AWS Managed CMKs

• Owned and used by AWS services

• Independent from the customer account.

• Can be used by services inside an account.

• They are rotated at least once per year.

• No control over when these keys roll.

• These keys are region specific.

Examples of AWS Managed CMKs

• AWS managed CMK for S3 - Used in data buckets.

• AWS KMS Default CMK - used for default encryption in EBS, RDS and Redshift.

Customer Managed Keys

• Provides the customer total control over the key.

The key Policy can be defined:

• Rotation schedules.

• Permissions.

• These keys are not tied to any feature or service.

• It is the customer responsibility to protect customer managed keys.

Selecting a key type

• Policy will dictate the key type.

• AWS managed keys may be ok if complete control is not needed.

• AWS managed keys have no charge.

• If policy states keys must be rotated on demand (after an incident) customer managed is best.

Data Encryption Keys

• These are generated by KMS for encrypting data.

• The are used in conjunction with customer-managed keys.

• A DEK is short-lived and used for a specific operation.

• Provides an extra layer of security.

DEK encrypts data

CMK encrypts the DEK

DEK facts

• A DEK is generated by KMS.
• A DEK is random.
• Envelope encryption.

• Data encrypted with DEK / DEK encrypted with CMK

• A DEK is fast and efficient.
• Can be used with various AWS services.
• KMS manages the DEK lifecycle
• DEK's are symmetric keys (they they are fast)

Key Material

AWS creates the material for the KMS key. [1]

• The customer can delete the key but not the key material.

• Key material cannot be exported, viewed or managed - it is secret!

KMS automatically creates the key material.

When you create your own CMK you can import your own key material.

• This key material must be encrypted with a symmetric encryption key.

Key Policies

These contol access to the KMS keys.

• Each KMS key is associated with a policy.

• Policy defines who can access they key.

• Policy helps enforce secure access to keys.

• Defines what users, roles and accounts can access a key.

• Also defines who can encrypt, decrypt and rotate.

Grants

• These define who can perform functions.

• Provide fine grained controls.

• Evelope encryption is used. Data is encrypted with a key, the key is encrypted with another key.

Envelope encrpytion in KMS

• The master key - Customer Master Key protects the data.

• A DEK is generated - the DEK is random.

• The DEK encrypts the data.

• The DEK is encrypted with the master key (CMK).

• The DEK is read when the data needs to be decrypted.

• The DEK is stored seperate from the data.